Once you've already set up your certs using bncert-tool, the thing you actually need to replace every 30 days is the base certificates which you created by following https://lightsail.aws.amazon.com/ls/docs/en_us/articles/amazon-lightsail-using-lets-encrypt-certificates-with-nginx.
You'll need to do the DNS challenges again using TXT records in Lightsail.
Make a note of the expiry date.
See link above to set env vars.
sudo ln -s /etc/letsencrypt/live/$DOMAIN/privkey.pem /opt/bitnami/apps/ghost/conf/certs/server.key
sudo ln -s /etc/letsencrypt/live/$DOMAIN/fullchain.pem /opt/bitnami/apps/ghost/conf/certs/server.crt
If you get this backwards (set up www to non-www direction you'll end up with this "Awesome! Ghost is now installed" error when going to the non-www version, but the blog will work at the www version. https://community.bitnami.com/t/awesome-ghost-is-now-installed-but-its-not-letting-me-access/53462/7
So just redirect non-www to www.
Remove the :80 from the url. Leave everything else alone (don't set this to https, it won't work)
sudo /opt/bitnami/ctlscript.sh restart
Initial load (i.e. affect.blog) will go to a non-https version but clicking links and subsequent loads will be via HTTPS
Run bncert-tool and go with defaults: Choose http to https redirect Choose non www to www redirect Don't choose www to non-www redirect
ServerName in httpd.conf should be localhost:80
bnconfig may have been renamed to bnconfig.disabled